Spyware.Netobserve

Spyware.Netobserve

Updated:

13 February 2007

Version:

2.0

Publisher:

ExploreAnywhere Software

Risk Impact:

High

File Names:

broadcast.exe,no32mon.exe,EASYS.dll,syscap32.dll

Systems Affected:

Windows

Behavior

Spyware.Netobserve is a computer surveillance utility that creates log files that contain information about various system activities. It can run completely in stealth mode, which means that there is no indication that Spyware.Netobserve is running on the infected computer.

Definitions dated before July 15, 2004 will detect this threat as Remacc.Netobserv.

Symptoms

The files are detected as Spyware.Netobserve.

Behavior

Spyware.NetObserve must be manually installed.

Antivirus Protection Dates

Initial Rapid Release version
02 October 2014 revision 022

Latest Rapid Release version
19 November 2018 revision 001

Initial Daily Certified version
08 July 2004

Latest Daily Certified version
19 November 2018 revision 016

Initial Weekly Certified release date
12 July 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

According to the threat's Web site, it has the following features:

Surveillance and logging features

Internet Conversation Logging: Logs both sides of all chat conversations for AOL/ICQ/MSN/AIM/Yahoo Instant Messengers, and views them in real time.

Internet Connection/Port Viewing: Views all open Internet connections and opens ports on the machine running NETObserve. An integrated Whois Lookup is also included for instantly retrieving information on any remote host. Perfect for spotting Trojan horses [malicious viruses], or any possible open areas on your network that could lead to a dangerous situation.

Process Management: Remotely views open windows and processes on the machine running NETObserve. Terminates or closes a window with a single click.

System Control: Quickly shuts down/reboots/logs off the remote machine, as well as puts the machine into Lockdown Mode. Lockdown Mode will bar the PC of any usage, and the only way to regain control of it is if the administrator unlocks it.

Window Management: Remotely de-actives and kills windows (in realtime) that you do not wish to run.

Security Features

Stealth Mode: Runs NETObserve in total stealth; the user will not be aware that it is running.

Web Content Filtering: Filters out Web sites and protocols from being used, and automatically tracks attempts made to view the banned material.

Windows Startup: Configures NETObserve to start up for a single user, or to start up as a service for all users on the system.

Automatic Active Startup: Configures NETObserve to start in "Active" mode when it is executed.

Password Protection: NETObserve requires a password for starting/stopping the monitoring process, and as well as when connecting to the NETObserve Web Control Panel.

128-Bit Encryption: NETObserve uses the MD5 Message Digest Algorithm [as defined in RFC 1321]. The MD5 Message Digest Algorithm is a one-way hash algorithm, which takes any length of data and produces a 128 bit "fingerprint" or "message digest." This makes it impossible for your password to be intercepted and stolen when it is sent to NETObserve for validation.

Precise User Tracking: NETObserve will log the current Windows user and the time and date an action is performed. This will allow you to precisely track down activity to the exact user, at the exact time it happened.

Inactivity Monitoring: Automatically suspends NETObserve from monitoring if the system is inactive for a specified amount of time.

Scheduling Agent: Automatically configures NETObserve to start/or stop at specified times and dates, or configure it to do it at the same time everyday.

Automatic Log Clearing: Automatically cleans old logs from after a certain amount of data or keystrokes have been logged.

Two-Way Chat: Initiates a two-way chat room between the remote user (running the NETObserve software) and the user remotely connected to the NETObserve Web Control Panel.

Thread Priority: Adjusts SpyBuddy to adapt to your system. Using the built-in Thread Priority utility, you can make SpyBuddy run as fast as you need it to depending on your systems specifications.

Note: %SystemDrive% is a variable that refers to the drive on which the Windows installation resides. By default, this is drive C.

The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

Update the definitions.

Uninstall Spyware.Netobserve using the Add/Remove Programs utility.

Run a full system scan and delete all the files detected as Spyware.Netobserve.

Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To uninstall the Adware

Do one of the following:

On the Windows 98 taskbar:

Click Start > Settings > Control Panel.

In the Control Panel window, double-click Add/Remove Programs.

On the Windows Me taskbar:

Click Start > Settings > Control Panel.

In the Control Panel window, double-click Add/Remove Programs. If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."

On the Windows 2000 taskbar: By default, Windows 2000 is set up the same as Windows 98, so follow the instructions for Windows 98. If otherwise, click Start, point to Settings > Control Panel, and then click Add/Remove Programs.

Start your Symantec antivirus program, and then run a full system scan.

If any files are detected as Spyware.Netobserve , click Delete. Notes:

If your Symantec antivirus product reports that it cannot delete a detected file, write down the path and file name. Then use Windows Explorer to locate and delete the file.

If you ran the Add/Remove programs applet as described in the previous section, all the files may have been removed, and thus none of them will be detected.

4. To delete the value from the registry Important:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry
," for instructions.

Note:
This is done to make sure that all the keys are removed. They may not be there if the uninstaller removed them.